On 27/03/12 08:01, Ludwig Nussel wrote:
> JFYI, CVE-2010-5077 was assigned to commit 1762 (DDoS mitiation)
> http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
> http://www.openwall.com/lists/oss-security/2012/03/26/2
> http://www.openwall.com/lists/oss-security/2012/03/26/5
It seems that backporting only r1762 isn't such a great idea, since
there's a regression (fixed in r1898) - after 2**32 milliseconds (about
50 days), Sys_Milliseconds() wraps around and the rate-limiting code
drops all getstatus requests.
r1762 also has some potentially-uninitialized variables (fixed in r1763)
although I'm not sure that they can actually be uninitialized in
practice, since that would require the address family to be neither IPv4
nor IPv6.
Finally, if backporting to something based on a particularly old version
of ioquake3 (Tremulous 1.1.0, I'm looking at you...), beware that the
rate-limiting code assumes that NA_BAD == 0 (it zero-fills a hash table
bucket with Com_Memset(), then checks against NA_BAD). This is fine for,
say, OpenArena 0.8.5, but when backporting to something older than r1566
you might need to change it to check for 0.
Is there anything else I should be aware of when backporting?
(Before anyone suggests it, no, in this context I can't just update to a
current version; in a stable release I need to use targeted patches.)
S
_______________________________________________
ioquake3 mailing list
[email protected]
http://lists.ioquake.org/listinfo.cgi/ioquake3-ioquake.org
By sending this message I agree to love ioquake3 and libsdl.
